Micro-credential in Internal Control and Risk Management in Public Administration

Not applicable

The methodology favours learning based on interactive lectures and demonstrations with practical cases. Discussion and formative feedback on Internal Control and Risk Management in Public Administration. Qualitative assessment, based on the work developed throughout the training and participation in classes.

By the end of the training, participants should be able to:

· Identify key concepts of internal control, risk, risk appetite/tolerance, preventive/detective control, and control effectiveness.

· Map critical processes and their risk points, defining causes, events, impacts, and mitigation measures.

· Build a risk and control matrix (RCSA) with probability/impact criteria and prioritisation.

· Design and document controls (including segregation of duties, authorisations, reconciliations, and audit trails) and their supporting evidence.

· Define risk and control indicators (KRIs/KPIs) and monitoring and reporting mechanisms for management.

· Plan risk responses (mitigate, accept, transfer, avoid) and follow up on action plans.

· Recognise signs of fraud and typical vulnerabilities in Public Administration (incl. procurement and payments) and apply prevention/detection measures.

· Integrate compliance concepts and cross-cutting requirements (data protection, information security, transparency) into risk management.

· Prepare essential documentation for internal/external audits and support continuous improvement.

· Foundations and framework in Public Administration

· Internal control: objectives, components, and benefits

· Risk management: concepts, common language, and responsibilities

· Good practices and frameworks (overview): COSO – Internal Control and COSO ERM; “3 lines” (governance model)

· Governance, roles, and responsibilities

· Governing/management bodies, operational areas, compliance, internal audit

· Risk culture, ethics, integrity, and accountability

· Internal policies, procedures, and regulations

· Process mapping and risk identification

· Value chain and critical processes in Public Administration (e.g., revenue, expenditure, payments, human resources, assets, ICT)

· Identification techniques: interviews, workshops, document analysis, incidents, audits

· Operational, financial, legal/regulatory, reputational, and technological risks

· Assessment and prioritisation

· Probability/impact criteria; inherent vs. residual risk

· Risk matrix; tolerances and priorities

· Risk register and “top risks”

· Control design and improvement

· Types of controls: preventive, detective, corrective; manual vs. automated

· Segregation of duties and access controls

· Typical controls: authorisations, validations, reconciliations, sampling, supervision, audit trails

· Control evidence and documentation (procedures, checklists, logs)

· Monitoring, indicators, and reporting

· KRIs/KPIs and control effectiveness testing

· Monitoring plans (frequency, samples, responsibilities)

· Reporting: risk/control dashboards, reports to management and committees

· Fraud risks and irregularities

· Fraud triangle; warning signs and vulnerable points

NAO